Support Drupal's password encryption algorithms. Most useful for users imported from a Drupal website. Or simply for more secure password encrypt …
The Drupal Password Encryption plugin enables support for Drupal’s password encryption algorithms.
A password encryption algorithm is the method is used to secure a password when preparing to save it to the database, such as when registering a new user account, changing a password, or checking if a password is correct when logging in.
This plugin is most useful for users imported from a Drupal website. Users’ passwords can be migrated (with no processing) from Drupal’s users.pass
database column to WP’s wp_users.user_pass
column. Then, once the plugin is activated, users can login to the WP website using the same password they used to login to the Drupal website, without needing a password reset.
This plugin is also useful to simply enable stronger password encryption in WordPress.
Once this plugin is activated, any existing WP user (that was not migrated from Drupal) will still be able to login using their same password. This is possible because phpass is one of several algorithms that Drupal supports. (phpass is WP core’s default password encryption algorithm.) However, until the user changes or resets their password, it will remain encrypted using phpass.
The plugin works by overriding WP’s pluggable functions wp_hash_password()
and wp_check_password()
to invoke the equivalent functions in Drupal 7’s password.inc
, which is included with the plugin’s files.
This plugin may work on earlier versions of WordPress. Please share your findings if you try it.
drupal-password-encryption/
directory to wp-content/plugins/drupal-password-encryption/
.users.pass
in the Drupal website’s database to wp_users.user_pass
in the WP website’s database.No. Drupal supports WP core’s password encryption algorithm too. So they can continue to login using the same password even after the plugin is activated.
No. Once the plugin is activated and passwords correctly migrated, the plugin will allow imported users to login with the same password as they used on the Drupal website.
This plugin does not migrate any user data for you. So imported users’ usernames and email addresses will depend on how you import them from the source.
Drupal has upgraded its password encryption several times. But stored passwords can not be updated without the unencrypted (plain text) password, which is only available when logging in.
Drupal does update passwords stored using older encryption algorithms when the user logs in. But all old algorithms must be supported until there are no more passwords stored using old algorithms, which might never be happen.
When a password is changed or reset Drupal’s default encryption algorithm (the most secure) is used.
However this plugin does not update passwords when a user logs in, like Drupal does, as described above. This feature would be a welcome contribution.
Submit a GitHub pull request; https://github.com/BevanR/Drupal-password-encryption-for-WordPress
Nothing per se.
However as computer hardware gets faster and hackers create more powerful tools, encrypted data gets easier to break by “brute force”. More advanced encryption algorithms keep data security ahead of the curve and make it harder to hack encrypted data.
WP core’s password algorithm (phpass) is older than some alternatives. Many tools (e.g. rainbow tables) are available to make it relatively easy for hackers to get plain text passwords from phpass-encrypted data.
Of course, the attacker first needs a copy of the encrypted data (your database) before they can start trying to retrieve plain text passwords from the encrypted data.